CN112306019A - Industrial control safety audit system based on protocol deep analysis and application thereof - Google Patents
Industrial control safety audit system based on protocol deep analysis and application thereof Download PDFInfo
- Publication number
- CN112306019A CN112306019A CN202011169055.7A CN202011169055A CN112306019A CN 112306019 A CN112306019 A CN 112306019A CN 202011169055 A CN202011169055 A CN 202011169055A CN 112306019 A CN112306019 A CN 112306019A
- Authority
- CN
- China
- Prior art keywords
- protocol
- industrial control
- analysis
- industrial
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 65
- 238000012550 audit Methods 0.000 title claims abstract description 45
- 238000001514 detection method Methods 0.000 claims abstract description 54
- 230000006399 behavior Effects 0.000 claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000012544 monitoring process Methods 0.000 claims abstract description 24
- 238000007726 management method Methods 0.000 claims abstract description 20
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 6
- 230000005540 biological transmission Effects 0.000 claims abstract description 4
- 230000006854 communication Effects 0.000 claims description 64
- 238000004891 communication Methods 0.000 claims description 61
- 230000002159 abnormal effect Effects 0.000 claims description 24
- 230000005856 abnormality Effects 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 15
- 238000004519 manufacturing process Methods 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 5
- 230000008859 change Effects 0.000 claims description 3
- 238000007405 data analysis Methods 0.000 claims description 3
- 238000013461 design Methods 0.000 claims description 3
- 238000009826 distribution Methods 0.000 claims description 3
- 238000009434 installation Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 238000011835 investigation Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000005192 partition Methods 0.000 claims description 3
- 238000004886 process control Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 230000000903 blocking effect Effects 0.000 abstract description 4
- 239000000047 product Substances 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000010365 information processing Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000005272 metallurgy Methods 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 239000003208 petroleum Substances 0.000 description 1
- 238000003908 quality control method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
- G05B19/41875—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by quality surveillance of production
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/32—Operator till task planning
- G05B2219/32368—Quality control
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An industrial control safety audit system based on protocol depth analysis and application thereof comprise a field monitoring layer, a control layer, a physical layer, an industrial control safety audit module and a safety protection management platform, wherein an industrial Ethernet and a field bus are arranged between the field monitoring layer and the physical layer, the field monitoring layer carries out data transmission and behavior control on the control layer through the industrial Ethernet, the physical layer is connected with the field bus through a sensor, an actuator and the like, and the field monitoring layer is mainly used for detecting the abnormity of the industrial network; the method can perform targeted detection on abnormal behaviors, has high accuracy, realizes effective physical blocking of malicious behaviors such as network attack, illegal access and the like in the operation of industrial control system equipment by controlling the interface of an external control line by a physical layer, and stops loss in time; the invention improves the protection capability and the grade of the safety of the industrial control system equipment terminal, has good compatibility, better applicability and convenient equipment increase and decrease, can flexibly update the alarm rule base and improve the protection capability.
Description
Technical Field
The invention relates to the field of student education management, in particular to an industrial control safety audit system based on protocol deep analysis and application thereof.
Background
Modern industrial control enterprises not only comprise a production control system, but also comprise information management systems for production management, quality control and the like, the trend of the two-way integration of the control system and the information system is great, and the interconnection of the production control system and the management information system becomes a basic architecture of ICS; due to the appearance of hacker parties, white cap communities and open source communities, the attack method of the industrial control system can be more and more easily obtained, meanwhile, a large number of security holes and utilization methods of the industrial control system can be obtained through public or semi-public channels, and the difficulty of network attack on the industrial control system is greatly reduced; with the gradual popularization and application of industrial ethernet, industrial control system products increasingly adopt universal protocols, universal hardware and universal software to be indirectly connected with public networks such as the internet and the like in various ways, and security threats in the traditional IT information network gradually permeate into a production control network.
Currently, the industrial control safety audit system comprises the following defects: firstly, the distinction of distinguishing the industrial Ethernet and the abnormal behavior of the industrial process is lacked, so that the accuracy of information processing is reduced; secondly, when the known protocol is analyzed, the known protocol cannot be rapidly identified, precious processing time and computing power are wasted, and finally, the existing industrial control safety audit system generally monitors network flow only and ignores the characteristic that the time sequence of network flow of different equipment is abnormal, so that monitoring is not comprehensive. In order to solve the problems, the application provides an industrial control safety audit system based on protocol deep analysis and application thereof.
Disclosure of Invention
Objects of the invention
In order to solve the technical problems in the background art, the invention provides an industrial control safety audit system based on protocol deep analysis and application thereof, the invention can carry out pertinence detection on abnormal behaviors, has high accuracy, and realizes effective physical blocking of network attack, illegal access and other malicious behaviors in the operation of industrial control system equipment by controlling the interface of an external control line by a physical layer, thereby stopping loss in time; the invention improves the protection capability and the grade of the safety of the industrial control system equipment terminal, has good compatibility, better applicability and convenient equipment increase and decrease, can flexibly update the alarm rule base and improve the protection capability.
(II) technical scheme
In order to solve the problems, the invention provides an industrial control safety audit system based on protocol depth analysis and application thereof, comprising a field monitoring layer, a control layer, a physical layer, an industrial control safety audit module and a safety protection management platform, wherein an industrial Ethernet and a field bus are arranged between the field monitoring layer and the physical layer, the field monitoring layer carries out data transmission and behavior control on the control layer through the industrial Ethernet, the physical layer is connected with the field bus through a sensor, an actuator and the like, the field monitoring layer is mainly used for detecting the abnormity of the industrial network, the method mainly comprises the steps of carrying out early warning in time after abnormality is found through comprehensive analysis of safety equipment and application program logs, network connection conditions, alarm data generated by abnormality detection and the like, and technically realizing the method mainly comprises abnormality detection based on communication flow, abnormality detection based on a protocol and abnormality detection based on system operation.
In an alternative embodiment, the industrial Ethernet may select a TCP/IP-based communication protocol such as ModbusTCP or S7COM, and the fieldbus may select one of ModbusRTU and Ethernet communication protocols.
In an alternative embodiment, based on the anomaly detection of communication traffic, the common effective means for detecting intrusion in the process of traffic anomaly detection includes:
network real-time flow auditing, namely uninterruptedly acquiring and monitoring network data flow in real time, finding abnormality and giving an alarm in real time, and monitoring network events such as network storm, ARP attack and the like;
abnormal data alarming is carried out, a normal communication behavior baseline is established based on deep data packet analysis of an industrial control protocol, then an analysis result of the industrial control protocol data packet actually acquired in an industrial control network is compared with the normal behavior baseline, and alarming is carried out when the actual behavior deviates from the normal behavior baseline;
and the communication behavior tracing is to carry out all-around recording on the acquired network communication data packet, trace back the record, generate audit log records of all network behaviors and provide detailed basis for the safety accident investigation of the industrial control system.
In an optional embodiment, in the protocol-based anomaly detection, the industrial control configuration software and a proprietary protocol commonly used in an industrial control communication network, including CAN or ModbusTCP, are mainly detected, and the protocol itself may be subjected to an authentication mechanism, an integrity verification mechanism, and an anti-replay mechanism for performing configuration and completion, so as to perform targeted detection of an anomaly, where the identification method mainly includes:
based on port identification, a default communication protocol is generally defined in the initial installation communication specification of protocol design, most network communication protocols based on TCP/IP can be identified by installing a port mapping mode, namely, the communication protocol type is identified according to the port number registered by a protocol communication port in an Internet digital distribution mechanism;
the identification based on the behavior characteristics is used, in the operation process of the industrial system, different devices are different from data flow generated by different communication protocols, the protocol identification based on the communication behavior characteristics refers to a protocol identification method in the IT field, and a plurality of protocols are distinguished and identified by utilizing the flow characteristic difference generated by the protocols in the communication process;
based on the protocol identification of the load, the preliminary identification of the application layer data is added on the basis of identifying the keywords and identifying the network layer header of the protocol data packet, when the protocol data packet passes through the identification module, the DPI analysis engine is used for matching the protocol keywords with the application layer keywords, the protocol type of the application layer is identified, and the identification of the known protocol is facilitated more accurately.
In an optional embodiment, based on the anomaly detection of the system operation, since the communication state and the time sequence of the industrial control system have very obvious correlation, the normal system state sequence of the industrial control system is analyzed by using a time sequence algorithm, and the system state deviating from the normal state sequence can be detected, so that possible attack behaviors or system fault states can be found through the system state, specifically, the network traffic time sequence based on a hidden markov model can be analyzed, and the anomaly detection of the public system behavior baseline can be analyzed, including the data packet operand threshold analysis, the process data baseline and the operation instruction statistical record, so that the industrial control behavior is analyzed, and the behavior of malicious operation and control by using the control parameter change is monitored.
In an optional embodiment, the industrial control safety audit module mainly comprises collection of various industrial data, deep analysis and processing of a data packet and abnormal detection based on communication protocol data and industrial process data, the collection of various industrial data is used as a data source of protocol analysis, a reliable and efficient collection method is to ensure timeliness of data analysis by an abnormal detection system, the deep analysis of the data packet, effective load of an industrial control protocol application layer at all analysis positions, construction of application layer protocol analysis rule bases such as Siemens S7COM, ModbusTCP and CANet and the like is realized by taking the construction as an analysis standard to complete protocol degree analysis, the abnormal detection based on the communication protocol data and the industrial process data mainly utilizes a detection model and a detection algorithm to analyze and process network communication data and industrial engineering data pieces of a previous module, and when the system detects that a deviant industrial control attracts a normal operation state, the early warning can be timely carried out and the related abnormal information can be reported to the safety protection management platform.
In an optional embodiment, the application device of the physical layer includes a human-computer interaction interface, which can set data parameters and guide an operation mode through the operation interface, so as to avoid the collection of useless abnormal information, and meanwhile, includes a connection switch with an external control circuit, so that the malicious operation outside the physical partition is realized, and the loss is reduced.
In an optional embodiment, the safety protection management platform mainly warns timely and effectively according to different analysis results after data safety analysis, designers of safety audit products can customize an attack alarm rule base of the safety audit products of the industrial control network according to summarized process control requirements, and the designers can provide flexible update alarm rule bases which are changed on line according to the process requirements in an operation interface mode.
The technical scheme of the invention has the following beneficial technical effects:
(1) the invention comprehensively uses a series of technical means such as network real-time flow audit, abnormal data alarm and communication behavior tracing, realizes the abnormal detection based on the communication flow, and carries out the pertinence detection of the abnormal behavior by port-based identification, behavior characteristic-based identification and load-based protocol identification, and the physical layer realizes the effective physical blocking of network attack, illegal access and other malicious behaviors in the operation of industrial control system equipment and the timely stopping of damage by interfaces of a control system serial port, a USB port, a network port and the like and an external control line;
(2) the safety protection capability and the safety protection level of the industrial control system equipment terminal are improved by analyzing the operand threshold of the data packet, carrying out comprehensive safety audit and afterwards tracing on the process data base line and the operation instruction statistical record, the identification of the known protocol is more accurately facilitated by the keyword query detection, and the timeliness of information acquisition is ensured;
(3) the safety protection management platform is used for carrying out centralized and unified management on the terminal safety protection strategies of a plurality of industrial control system equipment of the same type or different types at the same time, so that the compatibility is good, the applicability is better, the equipment increase and decrease are convenient, the alarm report can be timely carried out, the alarm rule base can be flexibly updated, and the protection capability is improved.
Drawings
Fig. 1 is a schematic structural diagram of an industrial control security audit system based on protocol deep analysis and an application thereof.
Fig. 2 is a structural block diagram of an industrial control security audit system based on protocol deep analysis and an industrial control security audit module applied to the industrial control security audit system.
Fig. 3 is a structural block diagram of an industrial control security audit system based on protocol deep analysis and a technical implementation manner of field monitoring layer detection in the application thereof.
Fig. 4 is a functional schematic diagram of an industrial control security audit system based on protocol deep analysis and a security protection management platform applied to the industrial control security audit system.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings in conjunction with the following detailed description. It should be understood that the description is intended to be exemplary only, and is not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
As shown in fig. 1-4, the industrial control safety audit system based on protocol deep analysis and the application thereof provided by the invention comprises a field monitoring layer, a control layer, a physical layer, an industrial control safety audit module and a safety protection management platform, wherein an industrial ethernet and a field bus are arranged between the field monitoring layer and the physical layer, the field monitoring layer carries out data transmission and behavior control on the control layer through the industrial ethernet, the physical layer is connected with the field bus through a sensor, an actuator and the like, the field monitoring layer is mainly used for detecting the abnormity of the industrial network, the method mainly comprises the steps of carrying out early warning in time after abnormality is found through comprehensive analysis of safety equipment and application program logs, network connection conditions, alarm data generated by abnormality detection and the like, and technically realizing the method mainly comprises abnormality detection based on communication flow, abnormality detection based on a protocol and abnormality detection based on system operation.
In an alternative embodiment, the industrial Ethernet may select a TCP/IP-based communication protocol such as ModbusTCP or S7COM, and the fieldbus may select one of ModbusRTU and Ethernet communication protocols.
In an alternative embodiment, based on the anomaly detection of communication traffic, the common effective means for detecting intrusion in the process of traffic anomaly detection includes:
network real-time flow auditing, namely uninterruptedly acquiring and monitoring network data flow in real time, finding abnormality and giving an alarm in real time, and monitoring network events such as network storm, ARP attack and the like;
abnormal data alarming is carried out, a normal communication behavior baseline is established based on deep data packet analysis of an industrial control protocol, then an analysis result of the industrial control protocol data packet actually acquired in an industrial control network is compared with the normal behavior baseline, and alarming is carried out when the actual behavior deviates from the normal behavior baseline;
and the communication behavior tracing is to carry out all-around recording on the acquired network communication data packet, trace back the record, generate audit log records of all network behaviors and provide detailed basis for the safety accident investigation of the industrial control system.
In an optional embodiment, in the protocol-based anomaly detection, the industrial control configuration software and a proprietary protocol commonly used in an industrial control communication network, including CAN or ModbusTCP, are mainly detected, and the protocol itself may be subjected to an authentication mechanism, an integrity verification mechanism, and an anti-replay mechanism for performing configuration and completion, so as to perform targeted detection of an anomaly, where the identification method mainly includes:
based on port identification, a default communication protocol is generally defined in the initial installation communication specification of protocol design, most network communication protocols based on TCP/IP can be identified by installing a port mapping mode, namely, the communication protocol type is identified according to the port number registered by a protocol communication port in an Internet digital distribution mechanism;
the identification based on the behavior characteristics is used, in the operation process of the industrial system, different devices are different from data flow generated by different communication protocols, the protocol identification based on the communication behavior characteristics refers to a protocol identification method in the IT field, and a plurality of protocols are distinguished and identified by utilizing the flow characteristic difference generated by the protocols in the communication process;
based on the protocol identification of the load, the preliminary identification of the application layer data is added on the basis of identifying the keywords and identifying the network layer header of the protocol data packet, when the protocol data packet passes through the identification module, the DPI analysis engine is used for matching the protocol keywords with the application layer keywords, the protocol type of the application layer is identified, and the identification of the known protocol is facilitated more accurately.
In an optional embodiment, based on the anomaly detection of the system operation, since the communication state and the time sequence of the industrial control system have very obvious correlation, the normal system state sequence of the industrial control system is analyzed by using a time sequence algorithm, and the system state deviating from the normal state sequence can be detected, so that possible attack behaviors or system fault states can be found through the system state, specifically, the network traffic time sequence based on a hidden markov model can be analyzed, and the anomaly detection of the public system behavior baseline can be analyzed, including the data packet operand threshold analysis, the process data baseline and the operation instruction statistical record, so that the industrial control behavior is analyzed, and the behavior of malicious operation and control by using the control parameter change is monitored.
In an optional embodiment, the industrial control safety audit module mainly comprises collection of various industrial data, deep analysis and processing of a data packet and abnormal detection based on communication protocol data and industrial process data, the collection of various industrial data is used as a data source of protocol analysis, a reliable and efficient collection method is to ensure timeliness of data analysis by an abnormal detection system, the deep analysis of the data packet, effective load of an industrial control protocol application layer at all analysis positions, construction of application layer protocol analysis rule bases such as Siemens S7COM, ModbusTCP and CANet and the like is realized by taking the construction as an analysis standard to complete protocol degree analysis, the abnormal detection based on the communication protocol data and the industrial process data mainly utilizes a detection model and a detection algorithm to analyze and process network communication data and industrial engineering data pieces of a previous module, and when the system detects that a deviant industrial control attracts a normal operation state, the early warning can be timely carried out and the related abnormal information can be reported to the safety protection management platform.
In an optional embodiment, the application device of the physical layer includes a human-computer interaction interface, which can set data parameters and guide an operation mode through the operation interface, so as to avoid the collection of useless abnormal information, and meanwhile, includes a connection switch with an external control circuit, so that the malicious operation outside the physical partition is realized, and the loss is reduced.
In an optional embodiment, the safety protection management platform mainly warns timely and effectively according to different analysis results after data safety analysis, designers of safety audit products can customize an attack alarm rule base of the safety audit products of the industrial control network according to summarized process control requirements, and the designers can provide flexible update alarm rule bases which are changed on line according to the process requirements in an operation interface mode.
The invention comprehensively uses a series of technical means such as network real-time flow audit, abnormal data alarm and communication behavior tracing, realizes the abnormal detection based on the communication flow, and carries out the pertinence detection of the abnormal behavior by port-based identification, behavior characteristic-based identification and load-based protocol identification, and the physical layer realizes the effective physical blocking of network attack, illegal access and other malicious behaviors in the operation of industrial control system equipment and the timely stopping of damage by interfaces of a control system serial port, a USB port, a network port and the like and an external control line;
the normal system state sequence of the industrial control system is analyzed by using a time sequence algorithm, and the method can be used for quickly detecting the system state deviating from the normal state sequence, so that possible attack behaviors or system fault states are found through the system state, the timeliness of information processing is ensured, the safety protection capability and the safety level of the industrial control system equipment terminal are improved through comprehensive safety audit and post-event tracing aiming at data packet operand threshold analysis, process data base lines and operation instruction statistical records, more accurate identification on a known protocol is facilitated through keyword query and detection, and the timeliness of information acquisition is ensured;
the safety protection management platform is used for carrying out centralized and unified management on the safety protection strategies of multiple industrial control system equipment terminals of the same type or different types at the same time, the compatibility is good, the applicability is better, the equipment increase and decrease are convenient, the alarm report can be timely given and reported, the alarm rule base can be flexibly updated, the protection capability is improved, and the safety protection management platform can be widely applied to industries with higher automation, such as petroleum, metallurgy, automobile processing and manufacturing and the like.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.
Claims (8)
1. An industrial control safety audit system based on protocol depth analysis and application thereof are characterized by comprising a field monitoring layer, a control layer, a physical layer, an industrial control safety audit module and a safety protection management platform, wherein an industrial Ethernet and a field bus are arranged between the field monitoring layer and the physical layer, the field monitoring layer carries out data transmission and behavior control on the control layer through the industrial Ethernet, the physical layer is connected with the field bus through a sensor, an actuator and the like, the field monitoring layer is mainly used for detecting the abnormity of the industrial network, the method mainly comprises the steps of carrying out early warning in time after abnormality is found through comprehensive analysis of safety equipment and application program logs, network connection conditions, alarm data generated by abnormality detection and the like, and technically realizing the method mainly comprises abnormality detection based on communication flow, abnormality detection based on a protocol and abnormality detection based on system operation.
2. The industrial control safety audit system based on protocol deep analysis and the application thereof as claimed in claim 1, wherein the industrial Ethernet may select a TCP/IP based communication protocol such as ModbusTCP or S7COM, and the fieldbus may select one of ModbusRTU and Ethernet communication protocols.
3. The industrial control safety audit system and the application thereof based on the protocol deep analysis of claim 1 are characterized in that based on the abnormal detection of communication flow, the common effective means for detecting intrusion during the abnormal detection of flow comprises:
network real-time flow auditing, namely uninterruptedly acquiring and monitoring network data flow in real time, finding abnormality and giving an alarm in real time, and monitoring network events such as network storm, ARP attack and the like;
abnormal data alarming is carried out, a normal communication behavior baseline is established based on deep data packet analysis of an industrial control protocol, then an analysis result of the industrial control protocol data packet actually acquired in an industrial control network is compared with the normal behavior baseline, and alarming is carried out when the actual behavior deviates from the normal behavior baseline;
and the communication behavior tracing is to carry out all-around recording on the acquired network communication data packet, trace back the record, generate audit log records of all network behaviors and provide detailed basis for the safety accident investigation of the industrial control system.
4. The industrial control safety audit system based on protocol deep analysis and the application thereof as claimed in claim 1, wherein the protocol-based anomaly detection mainly detects industrial control configuration software and proprietary protocols commonly used in industrial control communication networks, including CAN or ModbusTCP, etc., and CAN perform setup completion on an authentication mechanism, an integrity verification mechanism and an anti-replay mechanism of the protocol itself, thereby performing targeted detection of abnormal behaviors, the identification method mainly includes:
based on port identification, a default communication protocol is generally defined in the initial installation communication specification of protocol design, most network communication protocols based on TCP/IP can be identified by installing a port mapping mode, namely, the communication protocol type is identified according to the port number registered by a protocol communication port in an Internet digital distribution mechanism;
the identification based on the behavior characteristics is used, in the operation process of the industrial system, different devices are different from data flow generated by different communication protocols, the protocol identification based on the communication behavior characteristics refers to a protocol identification method in the IT field, and a plurality of protocols are distinguished and identified by utilizing the flow characteristic difference generated by the protocols in the communication process;
based on the protocol identification of the load, the preliminary identification of the application layer data is added on the basis of identifying the keywords and identifying the network layer header of the protocol data packet, when the protocol data packet passes through the identification module, the DPI analysis engine is used for matching the protocol keywords with the application layer keywords, the protocol type of the application layer is identified, and the identification of the known protocol is facilitated more accurately.
5. The industrial control safety audit system based on protocol deep analysis and the application thereof according to claim 1, it is characterized in that based on the abnormal detection of the system operation, because the communication state and the time sequence of the industrial control system have obvious correlation, thus, by analyzing the normal sequence of system states of an industrial control system using a time series algorithm, it can be used to detect system states that deviate from the normal sequence of states, therefore, possible attack behaviors or system fault states are discovered through the system state, analysis can be carried out through network flow time sequence based on a hidden Markov model, and analysis can also be carried out through abnormal detection of a public system behavior baseline, including data packet operand threshold analysis, process data baseline and operation instruction statistical record, therefore, the industrial control behavior is analyzed, and the behavior of malicious control by using the change of the control parameters is monitored.
6. The industrial control safety audit system and application thereof based on protocol deep analysis of claim 1 is characterized in that the industrial control safety audit module mainly comprises collection of various industrial data, deep analysis and processing of data packets and anomaly detection based on communication protocol data and industrial process data, the collection of various industrial data is used as a data source for protocol analysis, a reliable and efficient collection method is to ensure timeliness of data analysis by the anomaly detection system, deep analysis of data packets, effective load of an industrial control protocol application layer at all analysis positions, construction of application layer protocol analysis rule bases such as Siemens S7COM, ModbusTCP and CANet is realized, protocol degree analysis is completed by taking the rule as an analysis standard, anomaly detection based on communication protocol data and industrial process data is mainly to communication data of the previous module by using a detection model and a detection algorithm, and analyzing and processing the industrial engineering data, and when detecting a normal operation state of the deflected industrial control, the system can timely early warn and report related abnormal information to the safety protection management platform.
7. The industrial control safety audit system based on protocol deep analysis and the application thereof according to claim 1 are characterized in that the application equipment of the physical layer comprises a human-computer interaction interface, the setting of data parameters can be carried out, the operation mode is guided by the operation interface, the collection of useless abnormal information is avoided, meanwhile, the system comprises a connecting switch connected with an external control circuit, the malicious operation and control of the outside of the physical partition are realized, and the loss is reduced.
8. The industrial control safety audit system based on protocol deep analysis and the application thereof according to claim 1 are characterized in that the safety protection management platform mainly warns timely and effectively for different analysis results after data safety analysis, designers of safety audit products customize an attack alarm rule base of the industrial control network safety audit products according to summarized process control requirements, and can provide an online flexibly updated alarm rule base changed according to the process requirements in the form of an operation interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011169055.7A CN112306019A (en) | 2020-10-28 | 2020-10-28 | Industrial control safety audit system based on protocol deep analysis and application thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011169055.7A CN112306019A (en) | 2020-10-28 | 2020-10-28 | Industrial control safety audit system based on protocol deep analysis and application thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112306019A true CN112306019A (en) | 2021-02-02 |
Family
ID=74332139
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011169055.7A Pending CN112306019A (en) | 2020-10-28 | 2020-10-28 | Industrial control safety audit system based on protocol deep analysis and application thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112306019A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113225321A (en) * | 2021-04-22 | 2021-08-06 | 福建奇点时空数字科技有限公司 | anti-Dos method for SDN virtual machine based on intelligent migration strategy |
| CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
| CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
| CN114125083A (en) * | 2021-11-24 | 2022-03-01 | 河南中裕广恒科技股份有限公司 | Industrial network distributed data acquisition method and device, electronic equipment and medium |
| CN114301645A (en) * | 2021-12-16 | 2022-04-08 | 北京六方云信息技术有限公司 | Abnormal behavior detection method and device, terminal device and storage medium |
| CN114448654A (en) * | 2021-09-02 | 2022-05-06 | 中国科学院信息工程研究所 | Block chain-based distributed trusted audit security evidence storing method |
| CN114553749A (en) * | 2022-02-18 | 2022-05-27 | 科来网络技术股份有限公司 | Private protocol analysis method, device, computer equipment and readable storage medium |
| CN115499238A (en) * | 2022-09-30 | 2022-12-20 | 北京珞安科技有限责任公司 | Industrial control network threat analysis method based on industrial control behavior analysis |
| CN115834738A (en) * | 2023-01-09 | 2023-03-21 | 科来网络技术股份有限公司 | Industrial control business behavior identification method and device, electronic equipment and readable medium |
| CN116170236A (en) * | 2023-04-24 | 2023-05-26 | 成都星云智联科技有限公司 | Industrial control system abnormal flow detection method and system |
| CN116680098A (en) * | 2022-02-23 | 2023-09-01 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| WO2024035405A1 (en) * | 2022-08-11 | 2024-02-15 | Siemens Corporation | Interpreting and categorizing traffic on industrial control networks |
| CN118034229A (en) * | 2024-04-15 | 2024-05-14 | 信联科技(南京)有限公司 | Open scene-oriented safety industrial control system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209843A (en) * | 2016-07-12 | 2016-12-07 | 工业和信息化部电子工业标准化研究院 | A kind of data flow anomaly towards Modbus agreement analyzes method |
| CN110401642A (en) * | 2019-07-10 | 2019-11-01 | 浙江中烟工业有限责任公司 | A kind of acquisition of industry control flow and protocol analysis method |
| CN110597856A (en) * | 2019-08-20 | 2019-12-20 | 华能四川水电有限公司 | Rapid retrieval system and method for deep flow analysis data |
| CN110839043A (en) * | 2019-11-27 | 2020-02-25 | 中国石油化工股份有限公司胜利油田分公司胜利采油厂 | Industrial control network minimization unit isolation control method and system |
-
2020
- 2020-10-28 CN CN202011169055.7A patent/CN112306019A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209843A (en) * | 2016-07-12 | 2016-12-07 | 工业和信息化部电子工业标准化研究院 | A kind of data flow anomaly towards Modbus agreement analyzes method |
| CN110401642A (en) * | 2019-07-10 | 2019-11-01 | 浙江中烟工业有限责任公司 | A kind of acquisition of industry control flow and protocol analysis method |
| CN110597856A (en) * | 2019-08-20 | 2019-12-20 | 华能四川水电有限公司 | Rapid retrieval system and method for deep flow analysis data |
| CN110839043A (en) * | 2019-11-27 | 2020-02-25 | 中国石油化工股份有限公司胜利油田分公司胜利采油厂 | Industrial control network minimization unit isolation control method and system |
Non-Patent Citations (1)
| Title |
|---|
| 高巍伟: "基于深度协议解析的工控信息安全监测系统设计及实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113225321A (en) * | 2021-04-22 | 2021-08-06 | 福建奇点时空数字科技有限公司 | anti-Dos method for SDN virtual machine based on intelligent migration strategy |
| CN113645065A (en) * | 2021-07-21 | 2021-11-12 | 武汉虹旭信息技术有限责任公司 | Industrial control safety audit system and method based on industrial internet |
| CN113645065B (en) * | 2021-07-21 | 2024-03-15 | 武汉虹旭信息技术有限责任公司 | Industrial control security audit system and method based on industrial Internet |
| CN114448654B (en) * | 2021-09-02 | 2023-03-31 | 中国科学院信息工程研究所 | Block chain-based distributed trusted audit security evidence storing method |
| CN114448654A (en) * | 2021-09-02 | 2022-05-06 | 中国科学院信息工程研究所 | Block chain-based distributed trusted audit security evidence storing method |
| CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
| CN114125083A (en) * | 2021-11-24 | 2022-03-01 | 河南中裕广恒科技股份有限公司 | Industrial network distributed data acquisition method and device, electronic equipment and medium |
| CN114301645A (en) * | 2021-12-16 | 2022-04-08 | 北京六方云信息技术有限公司 | Abnormal behavior detection method and device, terminal device and storage medium |
| CN114553749A (en) * | 2022-02-18 | 2022-05-27 | 科来网络技术股份有限公司 | Private protocol analysis method, device, computer equipment and readable storage medium |
| CN116680098A (en) * | 2022-02-23 | 2023-09-01 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| CN116680098B (en) * | 2022-02-23 | 2024-06-11 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| WO2024035405A1 (en) * | 2022-08-11 | 2024-02-15 | Siemens Corporation | Interpreting and categorizing traffic on industrial control networks |
| CN115499238B (en) * | 2022-09-30 | 2023-04-28 | 北京珞安科技有限责任公司 | Industrial control network threat analysis method based on industrial control behavior analysis |
| CN115499238A (en) * | 2022-09-30 | 2022-12-20 | 北京珞安科技有限责任公司 | Industrial control network threat analysis method based on industrial control behavior analysis |
| CN115834738A (en) * | 2023-01-09 | 2023-03-21 | 科来网络技术股份有限公司 | Industrial control business behavior identification method and device, electronic equipment and readable medium |
| CN116170236A (en) * | 2023-04-24 | 2023-05-26 | 成都星云智联科技有限公司 | Industrial control system abnormal flow detection method and system |
| CN118034229A (en) * | 2024-04-15 | 2024-05-14 | 信联科技(南京)有限公司 | Open scene-oriented safety industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112306019A (en) | Industrial control safety audit system based on protocol deep analysis and application thereof | |
| CN108769022B (en) | Industrial control system safety experiment system for penetration test | |
| CN112799358B (en) | Industrial control safety defense system | |
| EP3101581B1 (en) | Security system for industrial control infrastructure using dynamic signatures | |
| CN108933791B (en) | Intelligent optimization method and device based on power information network safety protection strategy | |
| CN110336827B (en) | Modbus TCP protocol fuzzy test method based on abnormal field positioning | |
| CN109739203B (en) | Industrial network boundary protection system | |
| Settanni et al. | Protecting cyber physical production systems using anomaly detection to enable self-adaptation | |
| CN114567463B (en) | Industrial network information safety monitoring and protecting system | |
| Zheng et al. | Safeguarding building automation networks: THE-driven anomaly detector based on traffic analysis | |
| CN110113336B (en) | Network flow abnormity analysis and identification method for transformer substation network environment | |
| CN110365709B (en) | Device for sensing unknown network attack behavior based on upstream probe | |
| CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
| CN117061569B (en) | Internet of things-based industrial and social interaction digital information monitoring system | |
| CN109768971A (en) | A method of based on network flow real-time detection industrial control host state | |
| CN112149120A (en) | Transparent transmission type double-channel electric power Internet of things safety detection system | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| CN112437041A (en) | Industrial control safety audit system and method based on artificial intelligence | |
| Matoušek et al. | Efficient modelling of ICS communication for anomaly detection using probabilistic automata | |
| Choi et al. | An analytics framework for heuristic inference attacks against industrial control systems | |
| CN110365717A (en) | Industrial intrusion detection method and system based on HART-IP agreement | |
| Luo et al. | Research on cybersecurity testing for in-vehicle network | |
| CN114125083A (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| CN113132370A (en) | Universal integrated safety pipe center system | |
| Schuster et al. | A distributed intrusion detection system for industrial automation networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Yongfeng Inventor after: Guan Yong Inventor after: Zhang Xiaodong Inventor before: Wang Yongfeng Inventor before: Guan Yong Inventor before: Zhang Xiaodong Inventor before: Peng Jing |
|
| CB03 | Change of inventor or designer information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210202 |
|
| RJ01 | Rejection of invention patent application after publication |